 Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.

Most Popular Reviews

 Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.

 MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.

The file system in Windows XP is based on Windows NT and Windows
2000, so many of its features are new to users of Windows 95, 98,
and Me. In this article, we'll show you how to set up your Windows
XP Professional computer to share its disks and folders with other
Windows computers on a network, give access to desired users, and
keep other users out.

In Windows 95/98/Me, you can assign a password to a shared disk
or folder, so that only people who know the password can gain access.
That works well in a small home network where, for example, Mom
and Dad know the password to the family's financial data, but Junior
doesn't. But it isn't practical in a large corporate network, where
Windows XP Professional is likely to be used. It's hard to keep
a password secret in a large company, and changing to a new password
requires giving it to everyone who needs to use it.

Windows XP Professional replaces password-based security with two
alternatives:

Simple File Sharing is enabled by default on Windows
XP Professional systems that are members of a workgroup (typically
used in small networks) rather than a domain (typically used in
large corporate networks). For full details, see our article
on Simple
File Sharing.There are no passwords or access restrictions
and, with one exception described in the article, everything that's
shared is accessible by everyone on the network. Simple File
Sharing is the only type of sharing available in Windows XP Home
Edition.

By disabling Simple File Sharing, you can specify an Access
Control List (ACL) for each shared disk or folder. The ACL
specifies which users are allowed to have access.

Create shared folders called Girlstuff, Boystuff,
and Kidstuff, which will allow different levels of access
to different people. Boystuff will be accessible to Alasdair
and Fraser, Girlstuff will be accessible to Iona and Catriona,
and Kidstuff will accessible to them all;

See how the users access the shared folders.

Finally, we'll show you how to access Windows XP Professional's
shared disks and folders from another computer on the network, adding
some information about file permissions in the NTFS file system,
and giving solutions for some common network access problems.

Disable Simple File Sharing

Disabling Simple File Sharing is necessary in order
to enable the creation of Access Control Lists for shared disks
and folders:

Click Start | My Computer | Tools | Folder
Options | View.

Scroll to the bottom of the list of advanced settings and un-check
Use Simple File Sharing (Recommended).

Click OK.

Create User Accounts

There are a couple of ways to do this, but let's start simply by
clicking Start | Control Panel | User Accounts.
We describe a more comprehensive method later.

You'll see all of the existing accounts on the computer. You probably
created these when you installed Windows XP. You'll also see the
Guest account. It may or may not be enabled, depending on
whether you have previously enabled Simple File Sharing.

Click
Create a new account, and enter the new user's name. Here,
we're creating an account for Alasdair:

Click
Next, and choose the account type. This determines (rather
simplistically) which group the user will be placed in. There's
generally no good reason to grant remote users Computer administrator
privileges, so select Limited, and then click Create Account.
The new account appears in the User Accounts window.

Repeat
as required until all of the desired user
accounts are created.

User Accounts: Password or No Password?

By default, a user account is created with no password. This means
the user may sit down locally at the XP machine and log on without
entering a password.

However, by default, Windows XP will not permit a network
user to access the XP machine using an account set up without a
password!

You have two options on how to proceed from here:

If you want any degree of security, assign user passwords.
This will, however, require the users to log on to their client
machines using a password.

Many people prefer to set up their Windows 95/98/Me machines
using Windows Logon and no password, so the machine boots
directly to the Windows desktop without a logon prompt. In this
case, you need to make a Security Policy modification on the XP
Professional machine to permit users without passwords to connect
from the network.

Taking each option in turn:

Adding a Password to a User Account

In Control Panel| User Accounts, click the desired
account, and then click Create a password. Enter the password,
and then enter it again to confirm it. Enter a password hint
if you'd like – a user who forgets the password can look at
the hint at the logon screen as a memory aid. Then click Create
Password to make it take effect.

In
the User Accounts menu in Control Panel, the user
account now shows as being Password protected:

The user must now log on to his or her local computer using that
password.

Permitting Network Access Without a Password

To allow users to log onto their computers without a password and
then access the XP Professional machine without a password, you
must make a security policy change:

Double-click Accounts: Limit local account use of blank
passwords to console login only, which is enabled by default.
Disable this option and click OK.

This will permit network access without a password. The user's
computer can boot directly to the Windows desktop, and be validated
against the corresponding XP Professional user account, without
a password.

Note that the term “blank passwords” isn't technically
accurate. There's a difference between having a password which
consists of one or more blank characters, and having no password
at all. This setting actually permits access by users who have
no password at all.

Here
are your user accounts! You can fine-tune their settings from
here or create new users using the Action | New User
menu option!

Create User Groups

You may wish to group users together for administrative convenience.
For example, a university might define groups of users called
Staff and Students. Settings that you make for
a group automatically apply to all of the users in the group,
so you don't have to make the same settings individually for
each user.

You can create as many groups as you like, include any number
of users in each group, and include each user in any number
of groups. Here's an example of creating a new group:

From the Computer Management window, open System
Tools | Local Users and Groups | Groups;

Select Action | New Group;

Give the new group a name and description;

Click Add to add users to the new group.

In the Select Users window, set the Object Type
to Users and click OK. The Location
should show the name of your computer.

Click Advanced, and then click Find Now to
see a list of user accounts.

Select users who you wish to be members of the new group.
You can make multiple selections by holding down <Ctrl>-
whilst clicking.

Click OK twice.

Click Create to create the new group. It can now be
added to shares, the same way as individual users.

Create Shares

In this example,
we've used Windows Explorer to browse to the root directory
of the C: drive. In the right-hand pane, we right-click, select
New | Folder, and enter the name Boystuff.
Similarly, we create folders called Girlstuff and
Kidstuff.

To
specify sharing options for the Boystuff folder:

Right-click the folder and select Sharing and Security.

On the Sharing tab, select Share this folder
and enter a share name.

Add a comment if desired. This comment describes the share
and appears in My Network Places on other computers.

Leave the User limit alone. On XP professional,
the maximum limit is 10.

Set Up Access Control Lists on the Shares

Click
Permissions. Notice how, by default, the Everyone
group has Full Control. This means that all users can
read, write, and even delete files. That's not what
we want at all!

To
change the share permissions:

Click Add, and then choose Object Types.

Un-check Built-in security principles and Groups,
because we only want to see Users.

Click OK. From this location should show
the name of your computer.

Choose Advanced, and click Find Now.

Click on the users who should have access this share.

Power User Tip: Ctrl-Click
allows you to make multiple selections!

Click
OK, and the users are added:

You may repeat this to add additional users. When done, click
OK.

You're
now back at the ACL editor. By default, the newly-added users
have read-only access. If you want them to have read/write access,
then tick the Change box. You need to do this for each
user! Select each user in the list in turn, and specify Change
permission. Don't give limited users Full Control.

To prevent Guest access to this share, we must remove
the Everyone group! Select it, and click Remove.

The
ACL is now as we want it: Boystuff is only accessible
by Alasdair and Fraser. Click OK to close the ACL permissions
window.

Then click OK to close the share properties. Now, only
the specified users can access the shared folder!

Right-click
the Girlstuff folder, then repeat the procedure above
to give Iona and CatrionaChange permission
for the share. Remember to remove the Everyone group!

Finally,
right-click the Kidstuff folder, and repeat the procedure
to give all the kids Change permission for the share.
Again, remember to remove the Everyone group.

The share permissions are now set up on the XP Professional
machine!

NTFS Permissions

The Access Control List is a tool for protecting network shares,
but it doesn't stop someone from walking up to the computer,
logging in, and looking at the files on the computer. Share
permission and ACLs don't apply to a user who logs in locally.
To keep files private from other local users, Windows XP provides
a different mechanism. You can assign permissions to individual
files and folders at file system level. This is called File
Permissions, and it's only available on NTFS volumes. You
can't set File Permissions on FAT volumes.

By default, Windows XP uses File Permissions only in the Documents
and Settings folder, to keep each user's documents private
from other users. When a user logs on locally for the first
time, his 'Home Directory' is created within the Documents
and Settings folder. The default settings for all of the
folders and files in each user's My Documents folder
are:

The owner of the file or folder has read and write permission;

Local Computer Administrators have read and write
permission;

Nobody else may read or write to the folder or the files
in it.

Notice that Administrators can look into the user's
My Documents folder. Be aware that any user accounts
that you created when you installed XP are Administrator
accounts, and that they can all look into each other's My
Documents folders! Individual users may step up the security
a notch to remove Administrators from the list. Then,
only that individual user can access his or her own files. When
a user with an Administrator account sets a password
on the account, Windows XP automatically prompts the user to
step up the security on My Documents. It's then called
Private.

In order access shared data, a user connecting from the network
needs to get past both gatekeepers:

The ACL must allow access to the share;

The NTFS File Permissions must allow access to the file.

Having set up the share permissions, do we now need to do anything
with NTFS permissions?

The short answer is 'It Depends'.

If the shared folder is contained within Documents and Settings
(e.g. the My Documents folder), then you might. This
is because Windows XP sets NTFS permissions within this folder
structure to prevent users from accessing each other's data.
It depends on whether the user accounts are Limited or
Administrators, and it also depends on whether the shared
folder has been previously marked as Private.

If you created a folder structure elsewhere, then you most
likely do not need to do anything more. The necessary permissions
will be 'inherited', ultimately from the root folder, e.g. C:\

In the example we've used so far, we don't need to do any further
configuration for everything to work.

Power User Information: To
see why, look at the NTFS permissions. Run Windows Explorer,
and browse to c:\Boystuff. Right-click the folder and
select Sharing and Security. Go to the Security
tab and look at the list. Note that the permissions are additive.
Apart from yourself and Administrators, how can the users
Alasdair and Fraser access the data in this share?
It looks like they are not included on the NTFS permissions!

The
answer is due to their membership in the Users group.

Click the Users group to see what permissions it has.

They
seem to have Read-only access. Yet, if you try it, they have
Write access, too! How can this be?

Scroll down, and see they have 'Special' permissions. This
is gray, indicating they've inherited this permission from a
parent folder.

What, pray tell, is Special Permission? Click Advanced
to see. In the Permission entries window, double-click
Allow Users(RONS-PC\Users) Special Inherited From C:\.
You'll see that it has inherited Write permission from the Root
folder:

Connecting to a Share from a Client Computer

When a user on another computer on the network attempts to
access a shared disk or folder, Windows XP Professional checks
to see whether that user has permission to access it. The client
computer sends the user name and password of the user who is
currently logged in, and the XP Professional computer checks
them. If those ‘credentials' match an account on XP Professional,
then it checks the ACL for the shared disk or folder. If the
ACL permits access by that user, access is granted; if not,
access is denied.

On a client running Windows 95, 98, or Me, that's the whole
story. The user must be logged in with a user name and password
that XP Professional recognizes.

On a client running Windows 2000 or XP, there's more to the
story. If XP Professional doesn't recognize the logged-in user
name and password, it causes the client computer to prompt the
user to enter a different user name and password.

Connecting to a Share from Windows 95, 98, or Me

The following shows how to connect to a shared disk or folder
from a computer running Windows 95, 98, or Me, and also shows
some of the more common error conditions which can occur. In
this example, the client computer is running Windows 98 Second
Edition.

Under Windows 95/98/Me, you can set the Primary Network
Logon to Windows Logon, and all of the networking
features described here will function correctly. The only situation
in which the Primary Network Logon must be set to Client
for Microsoft Networks is to log on to a Windows NT server
or a Windows 2000 server.

The most important thing is to understand that everything is
keyed to the user name. When you boot up the client machine,
you need to get logged in with the correct user name.

Many Windows 95/98/Me machines are configured to boot all the
way through to the Windows desktop without the user actually
performing a login. If this is the case, click the Start
button, and look at the Log Off menu option. It will
show you what user name is currently logged on. If it isn't
correct, then click Log Off and log back on under the
correct user name. If the XP Professional account was set up
with a password, then you must enter that password at the Windows
logon prompt. If you configured XP to permit ‘blank' password
authentication, then you may click OK without entering
a password.

Now,
you ought to be able to browse the network by double-clicking
Network Neighborhood (or My Network Places).

If you get an error at this stage, you're most likely not logged
on. See the Troubleshooting section for how to proceed.

You can now browse the contents
of the XP Professional machine by double-clicking it.

If the list of shares appears, then all is well. However, a
common failure at this point is to be asked for the IPC$
password. This happens because the XP Professional machine is
not satisfied with the credentials of the user attempting to
browse it. See the Troubleshooting section for how to
proceed.

You
may now look in the individual shares. If all is well, you'll
see the shares that the user has permissions for, yet you ought
to get an Access Denied error (below) if you attempt
to access other shares. In this example, we're logged in as
Fraser and can access the Boys' stuff, but not the Girls'
stuff (right).

Connecting to a Share from Windows 2000 or XP

If Windows XP Professional doesn't
recognize the user name and password presented by a Windows
2000 or XP computer which wants to access a share, you can enter
different credentials. Here, we're logged on to another Windows
XP computer as a user which doesn't have an account on the computer
named RONS-PC. Entering a valid user name and password grants
access.

Sharing folders in My Documents

In this example, we cover the situation where you need to consider
NTFS permissions as well as share permissions.

The situation described here will only occur if either of the
following conditions is true:

In either of these cases, you'll run into NTFS permission problems.
However, if you created the user accounts as Administrator
accounts, and the My Documents folder has not been marked
as Private, then no further action is necessary, since
Administrators have NTFS access to default (non-Private)
My Documents folders.

We're logged on to the XP machine as Ron and wish to
share the My Documents folder across the network to the
girls, Iona and Catriona.

I use Windows Explorer, browse to My Documents, right-click,
and look for Sharing and Security. It's missing! Presumably,
you're only expected to share sub-folders of My Documents.
The option is present on My Music, My Pictures
etc.

If you really want to share the whole My Documents folder,
you still can: right-click it and select Properties to
see the Sharing and Security tabs.

We give it a share name (names containing blanks can cause
problems, so we've made it My-Documents). In the Permissions
button, we add Iona and Catriona with Read
and Change permission, and remove everyone, as
before.

Now to test it!

We log on to a client PC as Iona.

We can browse Network Neighbourhood.

We can browse the XP computer;

We have access to Girlstuff, as expected.

We have Access Denied to Boystuff, as expected.

But when we try to access My-Documents, we get an error
message!

What happened? We gave Iona permissions to access the
share, so why was she was not allowed?

Remember about network user having to get past both gatekeepers?
Well, Iona got past the share permissions level, only
to be blocked at the NTFS permissions level.

Remember also that XP Professional sets up NTFS permissions
on the My Documents folder and that we created the users
as Limited accounts, not Administrator accounts.

Let's go back and fix it. We use Windows Explorer, browse
to My Documents, right-click it, and select Properties.
This time, we choose the Security tab. Notice how ONLY
Administrators and the Owner have any permissions!

To fix this issue, we need to either:

Change the user accounts to Administrator accounts.
This will add the user to the Administrator group and
resolve the issue. Notice that this will not work if we've
previously used Simple File Sharing to mark My Documents
as Private. If you refer to the matrix in the Microsoft
Knowledge Base article Description
of File Sharing and Permissions in Windows XP, you'll
see that this removes Administrator' from the NTFS
permissions.

Change the NTFS permissions to explicitly permit the desired
users or groups.

Let's
take the second approach. Use the Add button to add
the users or groups that should have access to the shared folder.
We could choose to add the group USERS, or we could add
individual users. In this case, we'll add just the individual
users Iona and Catriona, and we need to explicitly
add Write permission.

Now, when Iona tries to gain access to the share across
network, there's no problem:

That concludes our fairly exhaustive tour of XP Professional
sharing and NTFS security!

Questions and Answers

Question:Should you now disable the Guest
account? Having set up explicit share permissions, do you still
need the Guest account enabled?

Answer: Most network administrators would not
enable the Guest account.

If ALL users who you wish to permit to access to your machine
have specific accounts, then you should disable the Guest
account. They will still have access to shares that you
created with Simple File Sharing, because this put the
everyone group in the ACL, and that includes all the
users you created, as well as guests.

If you need to allow 'other' unspecified users access to some
of the shares, then you must leave the Guest account
enabled.

The guest users will only be granted access to shares with
Guest permissions. That includes any shares with the
Everyone group. They will be unable to access shares
without explicit guest permissions.

NOTE:In Control Panel | User Accounts,
there is apparently the option to turn the Guest account
off.

This does not disable the Guest account.

It only prevents Guest logins at the console of
the local machine. The Guest account is still enabled
for network access!

Use the method described above to disable the Guest
account. Note also that turning the Guest account on
from Control Panel | User Accounts will both enable
the Guest account and permit local login.

Question: If you have more than one XP Professional
machine, do you need to create user accounts on them all?

Answer: Say you have several XP Professional
machines, each with disks and folders to be shared. When you
go to add users to the ACL, the only users available to be added
are from the local machine! Do you need to create identical
user accounts on all the machines?

The basic answer is YES. You need to create identical user
accounts on all machines which a user needs to access. It's
best if the user name and password are the same on all of them.
Then, the user name and password offered by that machine will
be accepted by all of the other computers.

Does this seem messy? Wouldn't it be more sensible if the user
accounts could be created on one central machine, and in the
ACL editor you had the option to select remote users from the
central user list as well as just locally-defined users?

Well, you can, and this is called a domain. A domain
is a group of computers which share a common user account database.
To create a domain, you need a Windows NT or Windows 2000 server
set up as a ‘domain controller'. You then create all the
user accounts on the domain controller. Individual servers (machines
with stuff to share) 'join' the domain. You do not create user
accounts on them. The act of 'Joining the Domain' adds a new
option in the ACL editor. Now, you can add not just local users,
but also users and groups from the domain. Now, we have a single
centralised set of user accounts which can be used across multiple
servers.

It is beyond the scope of this article to describe domains
any further.

Troubleshooting

The following errors are common when attempting to connect
to a share:

Unable to Browse the Network

On a Windows 95/98/Me machine, the most common cause of this
is that the user isn't logged on. Look on the Start menu,
under the Log Off option. If it shows Log Off <user
name>, then you're logged on. If it shows just Log
Off', then you're not logged on.

One reason for this is the user hitting ESC or clicking
Cancel at the login dialog. They must not do that. Either
enter the password, or leave the password empty and click OK.
If the user is never presented with a login dialog and is still
not getting logged in, then refer to Microsoft
Knowledge Base article Q141858 for a likely fix.

User is prompted for IPC$ Password

This happens when you attempt to browse the XP machine, but
the XP machine is not satisfied with the credentials of the
user. In other words, it doesn't know who you are. Possible
causes:

Your current user name doesn't exist on the XP machine.
To fix this, either enable the Guest account, or log
in with a user name which has a valid account on the XP machine.

The current user name is valid, but its password doesn't
match the password for that account on the XP machine. To
fix this, either:

Change the password on one of the machines to match the
other, or;

Enter the XP machine's password for that user name at
the IPC$ prompt.

Error 31 when attempting to browse the XP machine

This error occurs if you set up a user account without a password,
and then attempt to log in across the network. By default, Windows
XP doesn't permit remote users to connect from the network without
a password. To allow access without a password: